Hi, we have the following error in one of the splunk instances: Error in 'litsearch' command: Your Splunk license expired or you have exceeded your license limit too many times. Renew your Splunk license by visiting www.splunk.com/store or calling 866.GET.SPLUNK. and the following warning exist in the licensing section for the " auto_generated_pool_download-trial " pool: This pool has exceeded its configured poolsize=524288000 bytes. A warning has been recorded for all members whereas the mentioned splunk is not trial version, It's an Enterprise version.  

Hi, I found 2 previous tickets about this cases (https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-multiple-tabs-in-splunk-dashboard-studio/td-p/598020) I need to convert my dashboard to studio dashboard from classic (because customers weren't satisfied with the filters in the classic version), i need to add tabs to my dashboard because i can't insert all charts in one page (too much charts and different topics) How can I implement tabs? or maybe a workaround solution? I don't want to create each tab as a different dashboard. Thanks, Maayan

Hi, i need to add two queries so that they could come in different fields in one visualization, one will be the error and one will be success transaction.   index=sso Appid="APP-49" PROD ("Util.validateAuth" AND "METHOD_ENTRY")   - ERROR index=sso Appid="APP-49" PROD ("RestTorHandler : hleError :" OR "java.net.SocketException: Connection reset]" OR "Error in processor call." OR level="error" NOT "resubmit the request")      - SUCCESS   need to add both the queries and provide the count for error and count for success but while using this query, sum of the error transaction level!=error so the error count is not matching. index=ss Appid="APP-49" PROD ("Util.validateAuth" AND "METHOD_ENTRY") OR index=sso ("RestTorHandler : hleError :" OR "java.net.SocketException: Connection reset]" OR "Error in processor call." OR level="error" NOT "resubmit the request")  | rex field=_raw " (?<service_name>\w+)-prod" | eval err_flag = if(environment="nonprod", 1,0) | eval success_flag = if(level!="ERROR", 1,0) | stats sum(err_flag) as total_errors, sum(success_flag) as total_successes by service_name   Please help it would be great.  

hi, I have splunk 9.0.6 and sysmon add-on 3.1.0.  The lookup table called "microsoft_sysmon_eventcode.csv" correctly appears in Splunk Lookup Table Files list.   But, in the automatic lookup, the Lookup-eventcode is wrongly assigned to "eventcode" lookup instead of "sysmon_eventcode".   Searching for this "eventcode" lookup, it belongs to the app Defender.   Surprisingly, when I tried to fix this bug using the UI, the sysmon_eventcode lookup table did not appear in the dropdown list. I only see "sysmon-record_type-lookup".   Do you have any idea what might be happening?

  How to get rid of Splunk UNKNOWN_VERSION on splunk UI. This is happening on all the browsers (Chrome, Edge, Firefox)  and clearing the cache does not help Login into splunk and observe version by mouse over on tab Refresh the page it will be shown correctly  Now logout and login again  Observe version by mouse over on tab. It again shows UNKNOWN_VERSION